From 3ee19d0b50de2b585b080d3c8d665e501d8bc0df Mon Sep 17 00:00:00 2001 From: Stefan Eissing Date: Fri, 5 Jan 2018 15:34:15 +0000 Subject: [PATCH] On the 2.4.x-mod_md branch: merged mod_md relevant parts of 1818030,1818120,1818308,1818725,1818792,1818849,1819799,1819854,1819943,1820036,1820310,1820312 from trunk git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-mod_md@1820314 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_md.xml | 19 ++++ modules/md/md.h | 11 ++ modules/md/md_acme.c | 4 +- modules/md/md_acme_authz.c | 96 ++++++++--------- modules/md/md_crypt.c | 63 +++++++---- modules/md/md_crypt.h | 1 + modules/md/md_reg.c | 9 ++ modules/md/md_store_fs.c | 144 ++++++++++++------------- modules/md/md_version.h | 4 +- modules/md/mod_md.c | 191 ++++++++++++++++++++-------------- modules/md/mod_md.h | 7 ++ modules/md/mod_md_config.c | 27 ++++- modules/md/mod_md_config.h | 1 + modules/ssl/ssl_engine_init.c | 7 ++ 14 files changed, 360 insertions(+), 224 deletions(-) diff --git a/docs/manual/mod/mod_md.xml b/docs/manual/mod/mod_md.xml index e06d0d21bf..9f17eb10e1 100644 --- a/docs/manual/mod/mod_md.xml +++ b/docs/manual/mod/mod_md.xml @@ -594,4 +594,23 @@ MDRequireHttps permanent + + MDBaseServer + Control if base server may be managed or only virtual hosts. + MDBaseServer on|off + MDBaseServer off + + server config + + +

+ Controls if the base server, the one outside all VirtualHosts should be managed by + mod_md or not. Default is to not do this, for the very reason that + it may have confusing side-effects. It is recommended that you have virtual hosts + for all managed domains and do not rely on the global, fallback server configuration. +

+ + + + diff --git a/modules/md/md.h b/modules/md/md.h index 0c4aed5fb9..1aa19adaf6 100644 --- a/modules/md/md.h +++ b/modules/md/md.h @@ -119,6 +119,7 @@ struct md_t { #define MD_KEY_CONTACT "contact" #define MD_KEY_CONTACTS "contacts" #define MD_KEY_CSR "csr" +#define MD_KEY_DETAIL "detail" #define MD_KEY_DISABLED "disabled" #define MD_KEY_DIR "dir" #define MD_KEY_DOMAIN "domain" @@ -275,4 +276,14 @@ struct md_creds_t { int expired; }; +/* TODO: not sure this is a good idea, testing some readability and debuggabiltiy of + * cascaded apr_status_t checks. */ +#define MD_CHK_VARS const char *md_chk_ +#define MD_LAST_CHK md_chk_ +#define MD_CHK_STEP(c, status, s) (md_chk_ = s, (void)md_chk_, status == (rv = (c))) +#define MD_CHK(c, status) MD_CHK_STEP(c, status, #c) +#define MD_IS_ERR(c, err) (md_chk_ = #c, APR_STATUS_IS_##err((rv = (c)))) +#define MD_CHK_SUCCESS(c) MD_CHK(c, APR_SUCCESS) +#define MD_OK(c) MD_CHK_SUCCESS(c) + #endif /* mod_md_md_h */ diff --git a/modules/md/md_acme.c b/modules/md/md_acme.c index e94cac34c8..f692e25dea 100644 --- a/modules/md/md_acme.c +++ b/modules/md/md_acme.c @@ -284,8 +284,8 @@ static apr_status_t inspect_problem(md_acme_req_t *req, const md_http_response_t const char *ptype, *pdetail; req->resp_json = problem; - ptype = md_json_gets(problem, "type", NULL); - pdetail = md_json_gets(problem, "detail", NULL); + ptype = md_json_gets(problem, MD_KEY_TYPE, NULL); + pdetail = md_json_gets(problem, MD_KEY_DETAIL, NULL); req->rv = problem_status_get(ptype); if (APR_STATUS_IS_EAGAIN(req->rv)) { diff --git a/modules/md/md_acme_authz.c b/modules/md/md_acme_authz.c index 68fdc36801..9cb1a09530 100644 --- a/modules/md/md_acme_authz.c +++ b/modules/md/md_acme_authz.c @@ -207,8 +207,10 @@ apr_status_t md_acme_authz_update(md_acme_authz_t *authz, md_acme_t *acme, md_store_t *store, apr_pool_t *p) { md_json_t *json; - const char *s; + const char *s, *err; + md_log_level_t log_level; apr_status_t rv; + MD_CHK_VARS; (void)store; assert(acme); @@ -216,46 +218,46 @@ apr_status_t md_acme_authz_update(md_acme_authz_t *authz, md_acme_t *acme, assert(authz); assert(authz->location); - if (APR_SUCCESS != (rv = md_acme_get_json(&json, acme, authz->location, p))) { - md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p, "update authz for %s at %s", - authz->domain, authz->location); - return rv; - } - - authz->resource = json; - s = md_json_gets(json, "identifier", "type", NULL); - if (!s || strcmp(s, "dns")) return APR_EINVAL; - s = md_json_gets(json, "identifier", "value", NULL); - if (!s || strcmp(s, authz->domain)) return APR_EINVAL; - authz->state = MD_ACME_AUTHZ_S_UNKNOWN; - s = md_json_gets(json, "status", NULL); - if (s && !strcmp(s, "pending")) { - authz->state = MD_ACME_AUTHZ_S_PENDING; - } - else if (s && !strcmp(s, "valid")) { - authz->state = MD_ACME_AUTHZ_S_VALID; - if (md_log_is_level(p, MD_LOG_DEBUG)) { - md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, 0, p, "ACME server validated challenge " - "for %s in %s, ACME response is: %s", - authz->domain, authz->location, - md_json_writep(json, p, MD_JSON_FMT_COMPACT)); + json = NULL; + err = "unable to parse response"; + log_level = MD_LOG_ERR; + + if (MD_OK(md_acme_get_json(&json, acme, authz->location, p)) + && (s = md_json_gets(json, MD_KEY_IDENTIFIER, MD_KEY_TYPE, NULL)) + && !strcmp(s, "dns") + && (s = md_json_gets(json, MD_KEY_IDENTIFIER, MD_KEY_VALUE, NULL)) + && !strcmp(s, authz->domain) + && (s = md_json_gets(json, MD_KEY_STATUS, NULL))) { + + authz->resource = json; + if (!strcmp(s, "pending")) { + authz->state = MD_ACME_AUTHZ_S_PENDING; + err = "challenge 'pending'"; + log_level = MD_LOG_DEBUG; + } + else if (!strcmp(s, "valid")) { + authz->state = MD_ACME_AUTHZ_S_VALID; + err = "challenge 'valid'"; + log_level = MD_LOG_DEBUG; + } + else if (!strcmp(s, "invalid")) { + authz->state = MD_ACME_AUTHZ_S_INVALID; + err = "challenge 'invalid'"; } } - else if (s && !strcmp(s, "invalid")) { - authz->state = MD_ACME_AUTHZ_S_INVALID; - md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, p, "ACME server reports challenge " - "for %s in %s as 'invalid', ACME response is: %s", - authz->domain, authz->location, - md_json_writep(json, p, MD_JSON_FMT_COMPACT)); + + if (json && authz->state == MD_ACME_AUTHZ_S_UNKNOWN) { + err = "unable to understand response"; + rv = APR_EINVAL; } - else if (s) { - md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, p, "ACME server reports unrecognized " - "authz state '%s' for %s in %s, ACME response is: %s", - s, authz->domain, authz->location, - md_json_writep(json, p, MD_JSON_FMT_COMPACT)); - return APR_EINVAL; + + if (md_log_is_level(p, log_level)) { + md_log_perror(MD_LOG_MARK, log_level, rv, p, "ACME server authz: %s for %s at %s. " + "Exact repsonse was: %s", err? err : "", authz->domain, authz->location, + json? md_json_writep(json, p, MD_JSON_FMT_COMPACT) : "not available"); } + return rv; } @@ -306,13 +308,14 @@ static apr_status_t setup_key_authz(md_acme_authz_cha_t *cha, md_acme_authz_t *a { const char *thumb64, *key_authz; apr_status_t rv; + MD_CHK_VARS; (void)authz; assert(cha); assert(cha->token); *pchanged = 0; - if (APR_SUCCESS == (rv = md_jws_pkey_thumb(&thumb64, p, acme->acct_key))) { + if (MD_OK(md_jws_pkey_thumb(&thumb64, p, acme->acct_key))) { key_authz = apr_psprintf(p, "%s.%s", cha->token, thumb64); if (cha->key_authz) { if (strcmp(key_authz, cha->key_authz)) { @@ -335,9 +338,10 @@ static apr_status_t cha_http_01_setup(md_acme_authz_cha_t *cha, md_acme_authz_t const char *data; apr_status_t rv; int notify_server; + MD_CHK_VARS; (void)key_spec; - if (APR_SUCCESS != (rv = setup_key_authz(cha, authz, acme, p, ¬ify_server))) { + if (!MD_OK(setup_key_authz(cha, authz, acme, p, ¬ify_server))) { goto out; } @@ -395,9 +399,10 @@ static apr_status_t cha_tls_sni_01_setup(md_acme_authz_cha_t *cha, md_acme_authz apr_status_t rv; int notify_server; apr_array_header_t *domains; + MD_CHK_VARS; - if ( APR_SUCCESS != (rv = setup_key_authz(cha, authz, acme, p, ¬ify_server)) - || APR_SUCCESS != (rv = setup_cha_dns(&cha_dns, cha, p))) { + if ( !MD_OK(setup_key_authz(cha, authz, acme, p, ¬ify_server)) + || !MD_OK(setup_cha_dns(&cha_dns, cha, p))) { goto out; } @@ -415,18 +420,15 @@ static apr_status_t cha_tls_sni_01_setup(md_acme_authz_cha_t *cha, md_acme_authz /* setup a certificate containing the challenge dns */ domains = apr_array_make(p, 5, sizeof(const char*)); APR_ARRAY_PUSH(domains, const char*) = cha_dns; - rv = md_cert_self_sign(&cha_cert, authz->domain, domains, cha_key, - apr_time_from_sec(7 * MD_SECS_PER_DAY), p); - - if (APR_SUCCESS != rv) { + if (!MD_OK(md_cert_self_sign(&cha_cert, authz->domain, domains, cha_key, + apr_time_from_sec(7 * MD_SECS_PER_DAY), p))) { md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: setup self signed cert for %s", authz->domain, cha_dns); goto out; } - rv = md_store_save(store, p, MD_SG_CHALLENGES, cha_dns, MD_FN_TLSSNI01_PKEY, - MD_SV_PKEY, (void*)cha_key, 0); - if (APR_SUCCESS == rv) { + if (MD_OK(md_store_save(store, p, MD_SG_CHALLENGES, cha_dns, MD_FN_TLSSNI01_PKEY, + MD_SV_PKEY, (void*)cha_key, 0))) { rv = md_store_save(store, p, MD_SG_CHALLENGES, cha_dns, MD_FN_TLSSNI01_CERT, MD_SV_CERT, (void*)cha_cert, 0); } diff --git a/modules/md/md_crypt.c b/modules/md/md_crypt.c index 7277806fec..c35fef518e 100644 --- a/modules/md/md_crypt.c +++ b/modules/md/md_crypt.c @@ -783,30 +783,26 @@ int md_cert_covers_md(md_cert_t *cert, const md_t *md) apr_status_t md_cert_get_issuers_uri(const char **puri, md_cert_t *cert, apr_pool_t *p) { - int i, ext_idx, nid = NID_info_access; - X509_EXTENSION *ext; - X509V3_EXT_METHOD *ext_cls; - void *ext_data; - const char *uri = NULL; apr_status_t rv = APR_ENOENT; - - /* Waddle through x509 API history to get someone that may be able - * to hand us the issuer url for the cert chain */ - ext_idx = X509_get_ext_by_NID(cert->x509, nid, -1); - ext = (ext_idx >= 0)? X509_get_ext(cert->x509, ext_idx) : NULL; - ext_cls = ext? (X509V3_EXT_METHOD*)X509V3_EXT_get(ext) : NULL; - if (ext_cls && (ext_data = X509_get_ext_d2i(cert->x509, nid, 0, 0))) { - CONF_VALUE *cval; - STACK_OF(CONF_VALUE) *ext_vals = ext_cls->i2v(ext_cls, ext_data, 0); - - for (i = 0; i < sk_CONF_VALUE_num(ext_vals); ++i) { - cval = sk_CONF_VALUE_value(ext_vals, i); - if (!strcmp("CA Issuers - URI", cval->name)) { - uri = apr_pstrdup(p, cval->value); + STACK_OF(ACCESS_DESCRIPTION) *xinfos; + const char *uri = NULL; + unsigned char *buf; + int i; + + xinfos = X509_get_ext_d2i(cert->x509, NID_info_access, NULL, NULL); + if (xinfos) { + for (i = 0; i < sk_ACCESS_DESCRIPTION_num(xinfos); i++) { + ACCESS_DESCRIPTION *val = sk_ACCESS_DESCRIPTION_value(xinfos, i); + if (OBJ_obj2nid(val->method) == NID_ad_ca_issuers + && val->location && val->location->type == GEN_URI) { + ASN1_STRING_to_UTF8(&buf, val->location->d.uniformResourceIdentifier); + uri = apr_pstrdup(p, (char *)buf); + OPENSSL_free(buf); rv = APR_SUCCESS; break; } } + sk_ACCESS_DESCRIPTION_pop_free(xinfos, ACCESS_DESCRIPTION_free); } *puri = (APR_SUCCESS == rv)? uri : NULL; return rv; @@ -820,7 +816,7 @@ apr_status_t md_cert_get_alt_names(apr_array_header_t **pnames, md_cert_t *cert, unsigned char *buf; int i; - xalt_names = (GENERAL_NAMES*)X509_get_ext_d2i(cert->x509, NID_subject_alt_name, NULL, NULL); + xalt_names = X509_get_ext_d2i(cert->x509, NID_subject_alt_name, NULL, NULL); if (xalt_names) { GENERAL_NAME *cval; @@ -839,6 +835,7 @@ apr_status_t md_cert_get_alt_names(apr_array_header_t **pnames, md_cert_t *cert, break; } } + sk_GENERAL_NAME_pop_free(xalt_names, GENERAL_NAME_free); rv = APR_SUCCESS; } *pnames = (APR_SUCCESS == rv)? names : NULL; @@ -1106,6 +1103,30 @@ static apr_status_t sk_add_alt_names(STACK_OF(X509_EXTENSION) *exts, return APR_SUCCESS; } +#define MD_OID_MUST_STAPLE_NUM "1.3.6.1.5.5.7.1.24" +#define MD_OID_MUST_STAPLE_SNAME "tlsfeature" +#define MD_OID_MUST_STAPLE_LNAME "TLS Feature" + +static int get_must_staple_nid(void) +{ + /* Funny API, the OID for must staple might be configured or + * might be not. In the second case, we need to add it. But adding + * when it already is there is an error... */ + int nid = OBJ_txt2nid(MD_OID_MUST_STAPLE_NUM); + if (NID_undef == nid) { + nid = OBJ_create(MD_OID_MUST_STAPLE_NUM, + MD_OID_MUST_STAPLE_SNAME, MD_OID_MUST_STAPLE_LNAME); + } + return nid; +} + +int md_cert_must_staple(md_cert_t *cert) +{ + /* In case we do not get the NID for it, we treat this as not set. */ + int nid = get_must_staple_nid(); + return ((NID_undef != nid)) && X509_get_ext_by_NID(cert->x509, nid, -1) >= 0; +} + static apr_status_t add_must_staple(STACK_OF(X509_EXTENSION) *exts, const md_t *md, apr_pool_t *p) { @@ -1113,7 +1134,7 @@ static apr_status_t add_must_staple(STACK_OF(X509_EXTENSION) *exts, const md_t * X509_EXTENSION *x; int nid; - nid = OBJ_create("1.3.6.1.5.5.7.1.24", "tlsfeature", "TLS Feature"); + nid = get_must_staple_nid(); if (NID_undef == nid) { md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, p, "%s: unable to get NID for v3 must-staple TLS feature", md->name); diff --git a/modules/md/md_crypt.h b/modules/md/md_crypt.h index fc7c2d1dd3..94bde5ca86 100644 --- a/modules/md/md_crypt.h +++ b/modules/md/md_crypt.h @@ -107,6 +107,7 @@ int md_cert_is_valid_now(const md_cert_t *cert); int md_cert_has_expired(const md_cert_t *cert); int md_cert_covers_domain(md_cert_t *cert, const char *domain_name); int md_cert_covers_md(md_cert_t *cert, const struct md_t *md); +int md_cert_must_staple(md_cert_t *cert); apr_time_t md_cert_get_not_after(md_cert_t *cert); apr_time_t md_cert_get_not_before(md_cert_t *cert); diff --git a/modules/md/md_reg.c b/modules/md/md_reg.c index f5e6dc2c07..556d9aace7 100644 --- a/modules/md/md_reg.c +++ b/modules/md/md_reg.c @@ -234,6 +234,15 @@ static apr_status_t state_init(md_reg_t *reg, apr_pool_t *p, md_t *md, int save_ "needs sign up for a new certificate", md->name); goto out; } + if (!md->must_staple != !md_cert_must_staple(creds->cert)) { + state = MD_S_INCOMPLETE; + md_log_perror(MD_LOG_MARK, MD_LOG_INFO, rv, p, + "md{%s}: OCSP Stapling is%s requested, but certificate " + "has it%s enabled. Need to get a new certificate.", md->name, + md->must_staple? "" : " not", + !md->must_staple? "" : " not"); + goto out; + } for (i = 1; i < creds->pubcert->nelts; ++i) { cert = APR_ARRAY_IDX(creds->pubcert, i, const md_cert_t *); diff --git a/modules/md/md_store_fs.c b/modules/md/md_store_fs.c index e6a988d28a..726aeb8631 100644 --- a/modules/md/md_store_fs.c +++ b/modules/md/md_store_fs.c @@ -137,11 +137,12 @@ static apr_status_t rename_pkey(void *baton, apr_pool_t *p, apr_pool_t *ptemp, { const char *from, *to; apr_status_t rv = APR_SUCCESS; - + MD_CHK_VARS; + (void)baton; (void)ftype; - if (APR_SUCCESS == (rv = md_util_path_merge(&from, ptemp, dir, name, NULL)) - && APR_SUCCESS == (rv = md_util_path_merge(&to, ptemp, dir, MD_FN_PRIVKEY, NULL))) { + if ( MD_OK(md_util_path_merge(&from, ptemp, dir, name, NULL)) + && MD_OK(md_util_path_merge(&to, ptemp, dir, MD_FN_PRIVKEY, NULL))) { md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, 0, p, "renaming %s/%s to %s", dir, name, MD_FN_PRIVKEY); return apr_file_rename(from, to, ptemp); @@ -157,15 +158,16 @@ static apr_status_t mk_pubcert(void *baton, apr_pool_t *p, apr_pool_t *ptemp, apr_array_header_t *chain, *pubcert; const char *fname, *fpubcert; apr_status_t rv = APR_SUCCESS; + MD_CHK_VARS; (void)baton; (void)ftype; (void)p; - if ( APR_SUCCESS == (rv = md_util_path_merge(&fpubcert, ptemp, dir, MD_FN_PUBCERT, NULL)) - && APR_STATUS_IS_ENOENT((rv = md_chain_fload(&pubcert, ptemp, fpubcert))) - && APR_SUCCESS == (rv = md_util_path_merge(&fname, ptemp, dir, name, NULL)) - && APR_SUCCESS == (rv = md_cert_fload(&cert, ptemp, fname)) - && APR_SUCCESS == (rv = md_util_path_merge(&fname, ptemp, dir, MD_FN_CHAIN, NULL))) { + if ( MD_OK(md_util_path_merge(&fpubcert, ptemp, dir, MD_FN_PUBCERT, NULL)) + && MD_IS_ERR(md_chain_fload(&pubcert, ptemp, fpubcert), ENOENT) + && MD_OK(md_util_path_merge(&fname, ptemp, dir, name, NULL)) + && MD_OK(md_cert_fload(&cert, ptemp, fname)) + && MD_OK(md_util_path_merge(&fname, ptemp, dir, MD_FN_CHAIN, NULL))) { rv = md_chain_fload(&chain, ptemp, fname); if (APR_STATUS_IS_ENOENT(rv)) { @@ -209,8 +211,9 @@ static apr_status_t read_store_file(md_store_fs_t *s_fs, const char *fname, const char *key64, *key; apr_status_t rv; double store_version; + MD_CHK_VARS; - if (APR_SUCCESS == (rv = md_json_readf(&json, p, fname))) { + if (MD_OK(md_json_readf(&json, p, fname))) { store_version = md_json_getn(json, MD_KEY_STORE, MD_KEY_VERSION, NULL); if (store_version <= 0.0) { /* ok, an old one, compatible to 1.0 */ @@ -261,25 +264,23 @@ static apr_status_t setup_store_file(void *baton, apr_pool_t *p, apr_pool_t *pte md_store_fs_t *s_fs = baton; const char *fname; apr_status_t rv; + MD_CHK_VARS; (void)ap; s_fs->plain_pkey[MD_SG_DOMAINS] = 1; s_fs->plain_pkey[MD_SG_TMP] = 1; - rv = md_util_path_merge(&fname, ptemp, s_fs->base, FS_STORE_JSON, NULL); - if (APR_SUCCESS != rv) { + if (!MD_OK(md_util_path_merge(&fname, ptemp, s_fs->base, FS_STORE_JSON, NULL))) { return rv; } read: - if (APR_SUCCESS == (rv = md_util_is_file(fname, ptemp))) { + if (MD_OK(md_util_is_file(fname, ptemp))) { rv = read_store_file(s_fs, fname, p, ptemp); } - else if (APR_STATUS_IS_ENOENT(rv)) { - rv = init_store_file(s_fs, fname, p, ptemp); - if (APR_STATUS_IS_EEXIST(rv)) { - goto read; - } + else if (APR_STATUS_IS_ENOENT(rv) + && MD_IS_ERR(init_store_file(s_fs, fname, p, ptemp), EEXIST)) { + goto read; } return rv; } @@ -288,6 +289,7 @@ apr_status_t md_store_fs_init(md_store_t **pstore, apr_pool_t *p, const char *pa { md_store_fs_t *s_fs; apr_status_t rv = APR_SUCCESS; + MD_CHK_VARS; s_fs = apr_pcalloc(p, sizeof(*s_fs)); @@ -316,20 +318,15 @@ apr_status_t md_store_fs_init(md_store_t **pstore, apr_pool_t *p, const char *pa s_fs->base = apr_pstrdup(p, path); - if (APR_SUCCESS != (rv = md_util_is_dir(s_fs->base, p))) { - if (APR_STATUS_IS_ENOENT(rv)) { - rv = apr_dir_make_recursive(s_fs->base, s_fs->def_perms.dir, p); - if (APR_SUCCESS == rv) { - rv = apr_file_perms_set(s_fs->base, MD_FPROT_D_UALL_WREAD); - if (APR_STATUS_IS_ENOTIMPL(rv)) { - rv = APR_SUCCESS; - } - } + if (MD_IS_ERR(md_util_is_dir(s_fs->base, p), ENOENT) + && MD_OK(apr_dir_make_recursive(s_fs->base, s_fs->def_perms.dir, p))) { + rv = apr_file_perms_set(s_fs->base, MD_FPROT_D_UALL_WREAD); + if (APR_STATUS_IS_ENOTIMPL(rv)) { + rv = APR_SUCCESS; } } - rv = md_util_pool_vdo(setup_store_file, s_fs, p, NULL); - if (APR_SUCCESS != rv) { + if ((APR_SUCCESS != rv) || !MD_OK(md_util_pool_vdo(setup_store_file, s_fs, p, NULL))) { md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "init fs store at %s", path); } *pstore = (rv == APR_SUCCESS)? &(s_fs->s) : NULL; @@ -464,6 +461,7 @@ static apr_status_t pfs_load(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va_l md_store_group_t group; void **pvalue; apr_status_t rv; + MD_CHK_VARS; group = (md_store_group_t)va_arg(ap, int); name = va_arg(ap, const char *); @@ -471,8 +469,7 @@ static apr_status_t pfs_load(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va_l vtype = (md_store_vtype_t)va_arg(ap, int); pvalue= va_arg(ap, void **); - rv = fs_get_fname(&fpath, &s_fs->s, group, name, aspect, ptemp); - if (APR_SUCCESS == rv) { + if (MD_OK(fs_get_fname(&fpath, &s_fs->s, group, name, aspect, ptemp))) { rv = fs_fload(pvalue, s_fs, fpath, group, vtype, p, ptemp); } return rv; @@ -495,18 +492,14 @@ static apr_status_t mk_group_dir(const char **pdir, md_store_fs_t *s_fs, { const perms_t *perms; apr_status_t rv; + MD_CHK_VARS; perms = gperms(s_fs, group); - if (APR_SUCCESS == (rv = fs_get_dname(pdir, &s_fs->s, group, name, p)) - && (MD_SG_NONE != group)) { - if (APR_SUCCESS != md_util_is_dir(*pdir, p)) { - if (APR_SUCCESS == (rv = apr_dir_make_recursive(*pdir, perms->dir, p))) { - rv = dispatch(s_fs, MD_S_FS_EV_CREATED, group, *pdir, APR_DIR, p); - } - } - else { - /* already exists */ + if (MD_OK(fs_get_dname(pdir, &s_fs->s, group, name, p)) && (MD_SG_NONE != group)) { + if ( !MD_OK(md_util_is_dir(*pdir, p)) + && MD_OK(apr_dir_make_recursive(*pdir, perms->dir, p))) { + rv = dispatch(s_fs, MD_S_FS_EV_CREATED, group, *pdir, APR_DIR, p); } if (APR_SUCCESS == rv) { @@ -529,6 +522,7 @@ static apr_status_t pfs_is_newer(void *baton, apr_pool_t *p, apr_pool_t *ptemp, apr_finfo_t inf1, inf2; int *pnewer; apr_status_t rv; + MD_CHK_VARS; (void)p; group1 = (md_store_group_t)va_arg(ap, int); @@ -538,10 +532,10 @@ static apr_status_t pfs_is_newer(void *baton, apr_pool_t *p, apr_pool_t *ptemp, pnewer = va_arg(ap, int*); *pnewer = 0; - if ( APR_SUCCESS == (rv = fs_get_fname(&fname1, &s_fs->s, group1, name, aspect, ptemp)) - && APR_SUCCESS == (rv = fs_get_fname(&fname2, &s_fs->s, group2, name, aspect, ptemp)) - && APR_SUCCESS == (rv = apr_stat(&inf1, fname1, APR_FINFO_MTIME, ptemp)) - && APR_SUCCESS == (rv = apr_stat(&inf2, fname2, APR_FINFO_MTIME, ptemp))) { + if ( MD_OK(fs_get_fname(&fname1, &s_fs->s, group1, name, aspect, ptemp)) + && MD_OK(fs_get_fname(&fname2, &s_fs->s, group2, name, aspect, ptemp)) + && MD_OK(apr_stat(&inf1, fname1, APR_FINFO_MTIME, ptemp)) + && MD_OK(apr_stat(&inf2, fname2, APR_FINFO_MTIME, ptemp))) { *pnewer = inf1.mtime > inf2.mtime; } @@ -575,6 +569,7 @@ static apr_status_t pfs_save(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va_l const perms_t *perms; const char *pass; apr_size_t pass_len; + MD_CHK_VARS; group = (md_store_group_t)va_arg(ap, int); name = va_arg(ap, const char*); @@ -585,9 +580,9 @@ static apr_status_t pfs_save(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va_l perms = gperms(s_fs, group); - if (APR_SUCCESS == (rv = mk_group_dir(&gdir, s_fs, group, NULL, p)) - && APR_SUCCESS == (rv = mk_group_dir(&dir, s_fs, group, name, p)) - && APR_SUCCESS == (rv = md_util_path_merge(&fpath, ptemp, dir, aspect, NULL))) { + if ( MD_OK(mk_group_dir(&gdir, s_fs, group, NULL, p)) + && MD_OK(mk_group_dir(&dir, s_fs, group, name, p)) + && MD_OK(md_util_path_merge(&fpath, ptemp, dir, aspect, NULL))) { md_log_perror(MD_LOG_MARK, MD_LOG_TRACE3, 0, ptemp, "storing in %s", fpath); switch (vtype) { @@ -632,6 +627,7 @@ static apr_status_t pfs_remove(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va int force; apr_finfo_t info; md_store_group_t group; + MD_CHK_VARS; (void)p; group = (md_store_group_t)va_arg(ap, int); @@ -641,12 +637,12 @@ static apr_status_t pfs_remove(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va groupname = md_store_group_name(group); - if (APR_SUCCESS == (rv = md_util_path_merge(&dir, ptemp, s_fs->base, groupname, name, NULL)) - && APR_SUCCESS == (rv = md_util_path_merge(&fpath, ptemp, dir, aspect, NULL))) { + if ( MD_OK(md_util_path_merge(&dir, ptemp, s_fs->base, groupname, name, NULL)) + && MD_OK(md_util_path_merge(&fpath, ptemp, dir, aspect, NULL))) { md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, 0, ptemp, "start remove of md %s/%s/%s", groupname, name, aspect); - if (APR_SUCCESS != (rv = apr_stat(&info, dir, APR_FINFO_TYPE, ptemp))) { + if (!MD_OK(apr_stat(&info, dir, APR_FINFO_TYPE, ptemp))) { if (APR_ENOENT == rv && force) { return APR_SUCCESS; } @@ -692,6 +688,7 @@ static apr_status_t pfs_purge(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va_ const char *dir, *name, *groupname; md_store_group_t group; apr_status_t rv; + MD_CHK_VARS; (void)p; group = (md_store_group_t)va_arg(ap, int); @@ -699,7 +696,7 @@ static apr_status_t pfs_purge(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va_ groupname = md_store_group_name(group); - if (APR_SUCCESS == (rv = md_util_path_merge(&dir, ptemp, s_fs->base, groupname, name, NULL))) { + if (MD_OK(md_util_path_merge(&dir, ptemp, s_fs->base, groupname, name, NULL))) { /* Remove all files in dir, there should be no sub-dirs */ rv = md_util_rm_recursive(dir, ptemp, 1); } @@ -734,15 +731,14 @@ static apr_status_t insp(void *baton, apr_pool_t *p, apr_pool_t *ptemp, apr_status_t rv; void *value; const char *fpath; + MD_CHK_VARS; (void)ftype; md_log_perror(MD_LOG_MARK, MD_LOG_TRACE3, 0, ptemp, "inspecting value at: %s/%s", dir, name); - if (APR_SUCCESS == (rv = md_util_path_merge(&fpath, ptemp, dir, name, NULL))) { - rv = fs_fload(&value, ctx->s_fs, fpath, ctx->group, ctx->vtype, p, ptemp); - if (APR_SUCCESS == rv - && !ctx->inspect(ctx->baton, name, ctx->aspect, ctx->vtype, value, ptemp)) { - return APR_EOF; - } + if ( MD_OK(md_util_path_merge(&fpath, ptemp, dir, name, NULL)) + && MD_OK(fs_fload(&value, ctx->s_fs, fpath, ctx->group, ctx->vtype, p, ptemp)) + && !ctx->inspect(ctx->baton, name, ctx->aspect, ctx->vtype, value, ptemp)) { + return APR_EOF; } return rv; } @@ -779,6 +775,7 @@ static apr_status_t pfs_move(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va_l md_store_group_t from, to; int archive; apr_status_t rv; + MD_CHK_VARS; (void)p; from = (md_store_group_t)va_arg(ap, int); @@ -792,27 +789,26 @@ static apr_status_t pfs_move(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va_l return APR_EINVAL; } - rv = md_util_path_merge(&from_dir, ptemp, s_fs->base, from_group, name, NULL); - if (APR_SUCCESS != rv) goto out; - rv = md_util_path_merge(&to_dir, ptemp, s_fs->base, to_group, name, NULL); - if (APR_SUCCESS != rv) goto out; + if ( !MD_OK(md_util_path_merge(&from_dir, ptemp, s_fs->base, from_group, name, NULL)) + || !MD_OK(md_util_path_merge(&to_dir, ptemp, s_fs->base, to_group, name, NULL))) { + goto out; + } - if (APR_SUCCESS != (rv = md_util_is_dir(from_dir, ptemp))) { + if (!MD_OK(md_util_is_dir(from_dir, ptemp))) { md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, ptemp, "source is no dir: %s", from_dir); goto out; } - rv = archive? md_util_is_dir(to_dir, ptemp) : APR_ENOENT; - if (APR_SUCCESS == rv) { + if (MD_OK(archive? md_util_is_dir(to_dir, ptemp) : APR_ENOENT)) { int n = 1; const char *narch_dir; - rv = md_util_path_merge(&dir, ptemp, s_fs->base, md_store_group_name(MD_SG_ARCHIVE), NULL); - if (APR_SUCCESS != rv) goto out; - rv = apr_dir_make_recursive(dir, MD_FPROT_D_UONLY, ptemp); - if (APR_SUCCESS != rv) goto out; - rv = md_util_path_merge(&arch_dir, ptemp, dir, name, NULL); - if (APR_SUCCESS != rv) goto out; + if ( !MD_OK(md_util_path_merge(&dir, ptemp, s_fs->base, + md_store_group_name(MD_SG_ARCHIVE), NULL)) + || !MD_OK(apr_dir_make_recursive(dir, MD_FPROT_D_UONLY, ptemp)) + || !MD_OK(md_util_path_merge(&arch_dir, ptemp, dir, name, NULL))) { + goto out; + } #ifdef WIN32 /* WIN32 and handling of files/dirs. What can one say? */ @@ -835,8 +831,7 @@ static apr_status_t pfs_move(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va_l while (n < 1000) { narch_dir = apr_psprintf(ptemp, "%s.%d", arch_dir, n); - rv = apr_dir_make(narch_dir, MD_FPROT_D_UONLY, ptemp); - if (APR_SUCCESS == rv) { + if (MD_OK(apr_dir_make(narch_dir, MD_FPROT_D_UONLY, ptemp))) { md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, ptemp, "using archive dir: %s", narch_dir); break; @@ -863,19 +858,18 @@ static apr_status_t pfs_move(void *baton, apr_pool_t *p, apr_pool_t *ptemp, va_l goto out; } - if (APR_SUCCESS != (rv = apr_file_rename(to_dir, narch_dir, ptemp))) { + if (!MD_OK(apr_file_rename(to_dir, narch_dir, ptemp))) { md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, ptemp, "rename from %s to %s", to_dir, narch_dir); goto out; } - if (APR_SUCCESS != (rv = apr_file_rename(from_dir, to_dir, ptemp))) { + if (!MD_OK(apr_file_rename(from_dir, to_dir, ptemp))) { md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, ptemp, "moving %s to %s: %s", from_dir, to_dir); apr_file_rename(narch_dir, to_dir, ptemp); goto out; } - rv = dispatch(s_fs, MD_S_FS_EV_MOVED, to, to_dir, APR_DIR, ptemp); - if (APR_SUCCESS == rv) { + if (MD_OK(dispatch(s_fs, MD_S_FS_EV_MOVED, to, to_dir, APR_DIR, ptemp))) { rv = dispatch(s_fs, MD_S_FS_EV_MOVED, MD_SG_ARCHIVE, narch_dir, APR_DIR, ptemp); } } diff --git a/modules/md/md_version.h b/modules/md/md_version.h index 7b0b428671..d76a15b6fe 100644 --- a/modules/md/md_version.h +++ b/modules/md/md_version.h @@ -26,7 +26,7 @@ * @macro * Version number of the md module as c string */ -#define MOD_MD_VERSION "1.1.4" +#define MOD_MD_VERSION "1.1.8" /** * @macro @@ -34,7 +34,7 @@ * release. This is a 24 bit number with 8 bits for major number, 8 bits * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203. */ -#define MOD_MD_VERSION_NUM 0x010104 +#define MOD_MD_VERSION_NUM 0x010108 #define MD_ACME_DEF_URL "https://acme-v01.api.letsencrypt.org/directory" diff --git a/modules/md/mod_md.c b/modules/md/mod_md.c index 718b41d32d..038f1d2824 100644 --- a/modules/md/mod_md.c +++ b/modules/md/mod_md.c @@ -218,8 +218,12 @@ static apr_status_t assign_to_servers(md_t *md, server_rec *base_server, servers = apr_array_make(ptemp, 5, sizeof(server_rec*)); for (s = base_server; s; s = s->next) { - r.server = s; + if (!mc->manage_base_server && s == base_server) { + /* we shall not assign ourselves to the base server */ + continue; + } + r.server = s; for (i = 0; i < md->domains->nelts; ++i) { domain = APR_ARRAY_IDX(md->domains, i, const char*); @@ -459,29 +463,21 @@ static apr_status_t setup_store(md_store_t **pstore, md_mod_conf_t *mc, { const char *base_dir; apr_status_t rv; + MD_CHK_VARS; base_dir = ap_server_root_relative(p, mc->base_dir); - if (APR_SUCCESS != (rv = md_store_fs_init(pstore, p, base_dir))) { + if (!MD_OK(md_store_fs_init(pstore, p, base_dir))) { ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10046)"setup store for %s", base_dir); goto out; } md_store_fs_set_event_cb(*pstore, store_file_ev, s); - if (APR_SUCCESS != (rv = check_group_dir(*pstore, MD_SG_CHALLENGES, p, s))) { + if ( !MD_OK(check_group_dir(*pstore, MD_SG_CHALLENGES, p, s)) + || !MD_OK(check_group_dir(*pstore, MD_SG_STAGING, p, s)) + || !MD_OK(check_group_dir(*pstore, MD_SG_ACCOUNTS, p, s))) { ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10047) - "setup challenges directory"); - goto out; - } - if (APR_SUCCESS != (rv = check_group_dir(*pstore, MD_SG_STAGING, p, s))) { - ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10048) - "setup staging directory"); - goto out; - } - if (APR_SUCCESS != (rv = check_group_dir(*pstore, MD_SG_ACCOUNTS, p, s))) { - ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10049) - "setup accounts directory"); - goto out; + "setup challenges directory, call %s", MD_LAST_CHK); } out: @@ -495,12 +491,13 @@ static apr_status_t setup_reg(md_reg_t **preg, apr_pool_t *p, server_rec *s, md_mod_conf_t *mc; md_store_t *store; apr_status_t rv; + MD_CHK_VARS; sc = md_config_get(s); mc = sc->mc; - if (APR_SUCCESS == (rv = setup_store(&store, mc, p, s)) - && APR_SUCCESS == (rv = md_reg_init(preg, p, store, mc->proxy_url))) { + if ( MD_OK(setup_store(&store, mc, p, s)) + && MD_OK(md_reg_init(preg, p, store, mc->proxy_url))) { mc->reg = *preg; return md_reg_set_props(*preg, p, can_http, can_https); } @@ -801,10 +798,6 @@ static apr_status_t run_watchdog(int state, void *baton, apr_pool_t *ptemp) "next run in %s", md_print_duration(ptemp, next_run - now)); } wd_set_interval(wd->watchdog, next_run - now, wd, run_watchdog); - - for (i = 0; i < wd->jobs->nelts; ++i) { - job = APR_ARRAY_IDX(wd->jobs, i, md_job_t *); - } break; case AP_WATCHDOG_STATE_STOPPING: @@ -1133,26 +1126,28 @@ static int md_is_managed(server_rec *s) return 0; } -static apr_status_t setup_fallback_cert(md_store_t *store, const md_t *md, apr_pool_t *p) +static apr_status_t setup_fallback_cert(md_store_t *store, const md_t *md, + server_rec *s, apr_pool_t *p) { md_pkey_t *pkey; md_cert_t *cert; md_pkey_spec_t spec; apr_status_t rv; - + MD_CHK_VARS; + spec.type = MD_PKEY_TYPE_RSA; spec.params.rsa.bits = MD_PKEY_RSA_BITS_DEF; - - if ( APR_SUCCESS == (rv = md_pkey_gen(&pkey, p, &spec)) - && APR_SUCCESS == (rv = md_store_save(store, p, MD_SG_DOMAINS, md->name, - MD_FN_FALLBACK_PKEY, MD_SV_PKEY, (void*)pkey, 0)) - && APR_SUCCESS == (rv = md_cert_self_sign(&cert, "Apache Managed Domain Fallback", - md->domains, pkey, - apr_time_from_sec(14 * MD_SECS_PER_DAY), p))) { - rv = md_store_save(store, p, MD_SG_DOMAINS, md->name, - MD_FN_FALLBACK_CERT, MD_SV_CERT, (void*)cert, 0); + + if ( !MD_OK(md_pkey_gen(&pkey, p, &spec)) + || !MD_OK(md_store_save(store, p, MD_SG_DOMAINS, md->name, + MD_FN_FALLBACK_PKEY, MD_SV_PKEY, (void*)pkey, 0)) + || !MD_OK(md_cert_self_sign(&cert, "Apache Managed Domain Fallback", + md->domains, pkey, apr_time_from_sec(14 * MD_SECS_PER_DAY), p)) + || !MD_OK(md_store_save(store, p, MD_SG_DOMAINS, md->name, + MD_FN_FALLBACK_CERT, MD_SV_CERT, (void*)cert, 0))) { + ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, + "%s: setup fallback certificate, call %s", md->name, MD_LAST_CHK); } - return rv; } @@ -1169,62 +1164,105 @@ static apr_status_t md_get_certificate(server_rec *s, apr_pool_t *p, md_reg_t *reg; md_store_t *store; const md_t *md; + MD_CHK_VARS; *pkeyfile = NULL; *pcertfile = NULL; - + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(10113) + "md_get_certificate called for vhost %s.", s->server_hostname); + sc = md_config_get(s); + if (!sc) { + ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, + "asked for certificate of server %s which has no md config", + s->server_hostname); + return APR_ENOENT; + } + + if (!sc->assigned) { + /* Hmm, mod_ssl (or someone like it) asks for certificates for a server + * where we did not assign a MD to. Either the user forgot to configure + * that server with SSL certs, has misspelled a server name or we have + * a bug that prevented us from taking responsibility for this server. + * Either way, make some polite noise */ + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(10114) + "asked for certificate of server %s which has no MD assigned. This " + "could be ok, but most likely it is either a misconfiguration or " + "a bug. Please check server names and MD names carefully and if " + "everything checks open, please open an issue.", + s->server_hostname); + return APR_ENOENT; + } - if (sc && sc->assigned) { - assert(sc->mc); - reg = sc->mc->reg; - assert(reg); + assert(sc->mc); + reg = sc->mc->reg; + assert(reg); + + md = md_reg_get(reg, sc->assigned->name, p); + if (!md) { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10115) + "unable to hand out certificates, as registry can no longer " + "find MD '%s'.", sc->assigned->name); + return APR_ENOENT; + } + + if (!MD_OK(md_reg_get_cred_files(reg, md, p, pkeyfile, pcertfile))) { + ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10110) + "retrieving credentials for MD %s", md->name); + return rv; + } + + if (!fexists(*pkeyfile, p) || !fexists(*pcertfile, p)) { + /* Provide temporary, self-signed certificate as fallback, so that + * clients do not get obscure TLS handshake errors or will see a fallback + * virtual host that is not intended to be served here. */ store = md_reg_store_get(reg); - assert(store); - - md = md_reg_get(reg, sc->assigned->name, p); - - if (APR_SUCCESS != (rv = md_reg_get_cred_files(reg, md, p, pkeyfile, pcertfile))) { - ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10110) - "retrieving credentials for MD %s", md->name); - return rv; - } - + assert(store); + + md_store_get_fname(pkeyfile, store, MD_SG_DOMAINS, + md->name, MD_FN_FALLBACK_PKEY, p); + md_store_get_fname(pcertfile, store, MD_SG_DOMAINS, + md->name, MD_FN_FALLBACK_CERT, p); if (!fexists(*pkeyfile, p) || !fexists(*pcertfile, p)) { - /* Provide temporary, self-signed certificate as fallback, so that - * clients do not get obscure TLS handshake errors or will see a fallback - * virtual host that is not intended to be served here. */ - - md_store_get_fname(pkeyfile, store, MD_SG_DOMAINS, - md->name, MD_FN_FALLBACK_PKEY, p); - md_store_get_fname(pcertfile, store, MD_SG_DOMAINS, - md->name, MD_FN_FALLBACK_CERT, p); - if (!fexists(*pkeyfile, p) || !fexists(*pcertfile, p)) { - if (APR_SUCCESS != (rv = setup_fallback_cert(store, md, p))) { - ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, s, - "%s: setup fallback certificate", md->name); - return rv; - } + if (!MD_OK(setup_fallback_cert(store, md, s, p))) { + return rv; } - - ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, - "%s: providing fallback certificate for server %s", - md->name, s->server_hostname); - return APR_EAGAIN; } - - /* We have key and cert files, but they might no longer be valid or not - * match all domain names. Still use these files for now, but indicate that - * resources should no longer be served until we have a new certificate again. */ - if (md->state != MD_S_COMPLETE) { - return APR_EAGAIN; - } - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(10077) - "%s: providing certificate for server %s", md->name, s->server_hostname); + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(10116) + "%s: providing fallback certificate for server %s", + md->name, s->server_hostname); + return APR_EAGAIN; } + + /* We have key and cert files, but they might no longer be valid or not + * match all domain names. Still use these files for now, but indicate that + * resources should no longer be served until we have a new certificate again. */ + if (md->state != MD_S_COMPLETE) { + rv = APR_EAGAIN; + } + ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, s, APLOGNO(10077) + "%s: providing certificate for server %s", md->name, s->server_hostname); return rv; } +static int compat_warned; +static apr_status_t md_get_credentials(server_rec *s, apr_pool_t *p, + const char **pkeyfile, + const char **pcertfile, + const char **pchainfile) +{ + *pchainfile = NULL; + if (!compat_warned) { + compat_warned = 1; + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, /* no APLOGNO */ + "You are using mod_md with an old patch to mod_ssl. This will " + " work for now, but support will be dropped in a future release."); + } + return md_get_certificate(s, p, pkeyfile, pcertfile); +} + static int md_is_challenge(conn_rec *c, const char *servername, X509 **pcert, EVP_PKEY **pkey) { @@ -1414,5 +1452,6 @@ static void md_hooks(apr_pool_t *pool) APR_REGISTER_OPTIONAL_FN(md_is_managed); APR_REGISTER_OPTIONAL_FN(md_get_certificate); APR_REGISTER_OPTIONAL_FN(md_is_challenge); + APR_REGISTER_OPTIONAL_FN(md_get_credentials); } diff --git a/modules/md/mod_md.h b/modules/md/mod_md.h index 34edba8a1f..edfee72165 100644 --- a/modules/md/mod_md.h +++ b/modules/md/mod_md.h @@ -38,5 +38,12 @@ APR_DECLARE_OPTIONAL_FN(int, md_is_challenge, (struct conn_rec *, const char *, X509 **pcert, EVP_PKEY **pkey)); +/* Backward compatibility to older mod_ssl patches, will generate + * a WARNING in the logs, use 'md_get_certificate' instead */ +APR_DECLARE_OPTIONAL_FN(apr_status_t, + md_get_credentials, (struct server_rec *, apr_pool_t *, + const char **pkeyfile, + const char **pcertfile, + const char **pchainfile)); #endif /* mod_md_mod_md_h */ diff --git a/modules/md/mod_md_config.c b/modules/md/mod_md_config.c index 761338c342..8cf95dda23 100644 --- a/modules/md/mod_md_config.c +++ b/modules/md/mod_md_config.c @@ -50,6 +50,7 @@ #define MD_CMD_OLD_MD "ManagedDomain" #define MD_CMD_MD_SECTION "server); + const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + + (void)dc; + if (!err) { + if (!apr_strnatcasecmp("off", value)) { + config->mc->manage_base_server = 0; + } + else if (!apr_strnatcasecmp("on", value)) { + config->mc->manage_base_server = 1; + } + else { + err = apr_pstrcat(cmd->pool, "unknown '", value, + "', supported parameter values are 'on' and 'off'", NULL); + } + } + return err; +} + static const char *md_config_set_require_https(cmd_parms *cmd, void *dc, const char *value) { md_srv_conf_t *config = md_config_get(cmd->server); @@ -831,6 +854,8 @@ const command_rec md_cmds[] = { "Redirect non-secure requests to the https: equivalent."), AP_INIT_TAKE1( MD_CMD_NOTIFYCMD, md_config_set_notify_cmd, NULL, RSRC_CONF, "set the command to run when signup/renew of domain is complete."), + AP_INIT_TAKE1( MD_CMD_BASE_SERVER, md_config_set_base_server, NULL, RSRC_CONF, + "allow managing of base server outside virtual hosts."), /* This will disappear soon */ AP_INIT_TAKE_ARGV( MD_CMD_OLD_MD, md_config_set_names_old, NULL, RSRC_CONF, diff --git a/modules/md/mod_md_config.h b/modules/md/mod_md_config.h index 10edbab096..87caf2774a 100644 --- a/modules/md/mod_md_config.h +++ b/modules/md/mod_md_config.h @@ -47,6 +47,7 @@ typedef struct { int local_443; /* On which port https:443 arrives */ int can_http; /* Does someone listen to the local port 80 equivalent? */ int can_https; /* Does someone listen to the local port 443 equivalent? */ + int manage_base_server; /* If base server outside vhost may be managed */ int hsts_max_age; /* max-age of HSTS (rfc6797) header */ const char *hsts_header; /* computed HTST header to use or NULL */ apr_array_header_t *unused_names; /* post config, names of all MDs not assigned to a vhost */ diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 6f7dd33b7c..2c26564126 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -251,6 +251,13 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, /* * Create the server host:port string because we need it a lot */ + if (sc->vhost_id) { + /* already set. This should only happen if this config rec is + * shared with another server. Argh! */ + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10104) + "%s, SSLSrvConfigRec shared from %s", + ssl_util_vhostid(p, s), sc->vhost_id); + } sc->vhost_id = ssl_util_vhostid(p, s); sc->vhost_id_len = strlen(sc->vhost_id); -- 2.40.0